Office of the Privacy Commissioner | Case Note 100962 [2008] NZPrivCmr 5: Courier company delivers loan application pack to bank customer's neighbour
A woman asked her bank to restructure her bank loan. The bank prepared the loan documents and arranged to deliver them to her home by courier.
The bank gave the courier company incorrect delivery details. However, the woman's name and address were correctly printed and clearly visible in the window of the envelope. The courier company had written instructions to place the package in the customers mailbox if she was not at home.
A compliments slip was attached to the envelope. It read "please find loan documents for your signing", and asked the woman to return the documents by Friday. The heading "Application for Finance" was also visible through the window of the envelope.
The courier attempted to deliver the package but the woman was not at home. Contrary to instructions, the courier then left the package with the woman's neighbour to pass on to the woman when she returned home.
The woman complained to the bank that her loan documents had been handed to her neighbour and that it was evident the package was about a loan application. The bank apologised for the error. It explained that the envelope should have been placed in a courier bag. The bank said that it had discussed the incident with the courier and advised staff of correct procedures when sending information by courier. The bank offered to waive the loan application fee for the woman.
However, this offer did not satisfy the woman. The day before the documents were delivered, she had made an offer to purchase the neighbours property. She believed that as a result of the loan documents being delivered to the neighbour, the neighbour then inflated the asking price of the house.
The woman's complaint raised issues under principles 5 and 8.
Principle 5
Principle 5 states that agencies that hold personal information must take reasonable steps to ensure that the information is safeguarded against loss, unauthorised access, use or disclosure.
We were satisfied that the bank generally had reasonable processes to ensure that information sent by courier was kept secure. However, there were some unfortunate oversights in this instance:
- the envelope should have been placed in a courier bag;
- the envelope was a different size from the documents, which may have resulted in information being visible through the window of the envelope;
- the address the bank gave to the courier company was incorrect.
In the event, the disclosure was limited. The envelope had remained sealed at all times. The courier company had the correct address on the envelope. Also, the instructions for the courier to leave the package in the mailbox were clear, and, if followed, would have prevented any disclosure from occurring. The situation was therefore primarily not the bank's fault. The courier company confirmed that its driver had made an error and should have contacted the bank to seek authorisation for the envelope to be signed for by the woman's neighbour.
After investigation, we concluded that the situation was a one-off error which did not reveal systemic failings. We therefore decided that, in all the circumstances, the bank had taken reasonable steps to protect the security of the information. We were pleased to see that the bank took appropriate actions to check its policies and reinforce them with staff, to contact the courier company with its concerns, and to rectify the situation for the customer.
Principle 8
Under principle 8, an agency is required to take reasonable steps to ensure the accuracy of information.
The woman's address on the envelope was accurate, although the instructions to the courier gave a different address. The correct address was recorded in the bank's systems. A typographical error had occurred in the mail room, but the courier was in fact aware of the correct address.
This fell short of showing that the bank had, overall, failed to take reasonable steps to ensure that the information was accurate.
Harm
The customer claimed that she suffered financial harm, under section 66(1), because the neighbour raised the price of the house. However, there was no evidence that the bank's actions led to this state of affairs. The neighbour had not opened the envelope. There was no evidence that simply knowing that the woman had applied for a loan led to the neighbour raising the house price. If the amount of the loan had been known, the harm would have been more obvious.
We formed the final opinion that there was no interference with privacy. We also noted that the bank's offer of compensation and the other steps it took were appropriate to resolve the situation.
August 2008
Storage and security of personal information bank misaddressed envelope courier ignored instructions and gave package to neighbour reasonable security safeguards Privacy Act 1993, principle 5
Accuracy of personal information to be checked before use bank misaddressed envelope not banks fault that courier gave package to neighbour reasonable steps to ensure accuracy Privacy Act 1993, principle 8.
Interference with privacy bank application for loan revealed to neighbour - price of house allegedly raised need to demonstrate harm is direct result of breach no interference Privacy Act 1993, section 66(1)